RHEL7 XFS Is A Step Backwards Forensically

Red Hat changed the default filesystem in Red Hat Enterprise Linux 7 (RHEL 7) to XFS. In RHEL 6, the default filesystem was EXT4. The rational for this change, according Denise Dumas, Director of Software Engineering for Red Hat was because “it is a better match for our enterprise customers”.

I agree with this position, which incidentally is the position SUSE have maintained for a long time, except that forensically it is somewhat of a step backwards.

You can examine a XFS file’s metadata using xfs_db but it is much easier to use the xfs_io utility. Just like xfs_db, xfs_io is an XFS filesystem debugging tool, but it’s focus is on supporting regular file I/O paths rather than the raw XFS volume itself.

As you can see from the above xfs_io output, XFS only supports the three classical Unix filesystem timestamps for files, i.e. atime, mtime and atime. It does not support an immutable file creation timestamp like the EXT4, NTFS, ZFS or BTRFS filesystems do.

Here, for example, is the output from the stat utility on RHEL 6.4 for a file, helloworld, that is on an EXT4 filesystem:

Note, not having a file creation timestamp is not the end of the world. After all, the EXT2 and EXT3 filesystems did not have one. However, it does complicate things somewhat, and does add an element of uncertainty to a forensics examination of a system.